LinkedIn Password Breach Illustrates Endemic Security Issue

LinkedIn’s loss of 6.5 million passwords is bad enough, but the fact they were easily deciphered shows a stunning lack of care for software security, and should serve notice to business customers of cloud-based services that they shouldn’t assume vendors are “doing it right,” says noted software expert Gary McGraw.

LinkedIn confirmed Wednesday afternoon that “some passwords” corresponding to LinkedIn accounts were compromised. In a blog post, LinkedIn director Vincente Silveira said the company will send an email to members whose passwords were compromised that those passwords are no longer valid. Instructions on how to reset their passwords will follow in a separate e-mail.

Silveira added that LinkedIn has “just recently” put in place security measures that would prevent hackers from easily guessing passwords.

McGraw, CTO of software security consulting firm Cigital, and author of the seminal textbook Software Security, tells CIO Journal that LinkedIn software engineers “should have done a better job of building security into their service from the start.” LinkedIn had merely hashed the passwords in order to store them in a database file – meaning they had been converted using a standard algorithm. But they hadn’t added encryption to the hash, which would have made it much more difficult for hackers to decipher the file. “We all know better than that,” McGraw said.

McGraw said “when you decide to use somebody else’s solution, like software-as-a-service, including social networking solutions, then you have to ask them some questions about how they’re doing security. You can’t just assume they’re doing it right, even with large, popular solutions.

“People have an implicit assumption that everyone building stuff they’re using is doing a good job. Why they have that impression is unclear.”

The passwords of some 6.5 million LinkedIn subscribers, or approximately 4% of LinkedIn’s 150 million members, were reportedly posted to a hacker site early Wednesday. Two security firms, Sophos and Rapid7, separately told CIO Journal they were able to confirm the breach by searching for the known passwords of colleagues within a massive file that has been spreading through other hacker forums.

Comments (5 of 11)

Looks like they still have problems. Though I deleted all my additional email addresses that I had listed in LinkedIn I am still receiving emails at the old ones. Look like the probably of their systems being hacked again is high given that they still cannot clean up their customers data. It's ironic that their website asks me to add an additional email address (I have one now though I had three listed earlier before they were hacked) to ensure that I don't get locked out of their website because I have only one address, but at the same time they are sending me emails to addresses that they should no longer have in their systems. Disappointed that they are misleading their customers and cannot come clean with the mess of systems that they have internally duplicating customer data all over the place.

8:45 am June 11, 2012

tobyp wrote:

I find it interesting that the focus of reporting around the LinkedIn incident remains the storing of passwords. When is someone going to ask the questions regarding HOW LONG hackers were in LinkedIn's systems? And WHAT ACCESS method was used to gain entrance into LinkedIn's protected network. Hackers don't simply stumble into the password data store unless LinkedIn did an incredibly bad job of defending its systems. I'm willing to bet that there was little, if any, thought given to a "defense in depth" posture (successive layers of access security coupled with intense net flow monitoring AND good software development practices) for the LinkedIn systems. Couple this with "Cloud" services that are not that robust, and you have a great recipe for disasters such as LinkedIn's.
Having lived this nightmare in past lives, this is one more wakeup call for IT organizations to take the issues around network and data security seriously - and DO SOMETHING rather than offer mere platitudes to their business partners and leaders..

3:26 pm June 7, 2012

Roberto wrote:

"LinkedIn had merely hashed the passwords in order to store them in a database file – meaning they had been converted using a standard algorithm. But they hadn’t added encryption to the hash, which would have made it much more difficult for hackers to decipher the file."

The factors that render the electrical grid vulnerable to cyber attack are strikingly similar to the cyber risk issues faced by health care, financial services, and other industries. But one recent malware campaign targeting utilities shows just how exposed the grid remains to cyber threats.